Relocation of metadata server with outstanding DMAPI requests

ABSTRACT

A cluster of computer system nodes share direct read/write access to storage devices via a storage area network using a cluster filesystem and operating system implementing DMAPI. Threads executing on a metadata client know when a DMAPI event is required, and generate the DMAPI event on their own initiative when necessary. A metadata server maintains DMAPI queues. If the metadata server relocates to another host, the DMAPI events in the DMAPI queues are moved transparently to users.

CROSS-REFERENCE TO RELATED APPLICATION(S)

This application is a continuation-in-part of U.S. application Ser. No.10/162,258 filed Jun. 5, 2002 now U.S. Pat. No. 6,950,833, and entitledCLUSTERED FILE SYSTEM, which claims the benefit of U.S. ProvisionalApplication No. 60/296,046 filed Jun. 5, 2001 and entitled CLUSTEREDFILE SYSTEM, both of which are incorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention is related to data storage, and more particularlyto a system and method for accessing data within a storage area network.

2. Description of the Related Art

A storage area network (SAN) provides direct, high-speed physicalconnections, e.g., Fibre Channel connections, between multiple hosts anddisk storage. The emergence of SAN technology offers the potential formultiple computer systems to have high-speed access to shared data.However, the software technologies that enable true data sharing aremostly in their infancy. While SANs offer the benefits of consolidatedstorage and a high-speed data network, existing systems do not sharethat data as easily and quickly as directly connected storage. Datasharing is typically accomplished using a network filesystem such asNetwork File System (NFS™ by Sun Microsystems, Inc. of Santa Clara,Calif.) or by manually copying files using file transfer protocol (FTP),a cumbersome and unacceptably slow process.

The challenges faced by a distributed SAN filesystem are different fromthose faced by a traditional network filesystem. For a networkfilesystem, all transactions are mediated and controlled by a fileserver. While the same approach could be transferred to a SAN using muchthe same protocols, that would fail to eliminate the fundamentallimitations of the file server or take advantage of the true benefits ofa SAN. The file server is often a bottleneck hindering performance andis always a single point of failure. The design challenges faced by ashared SAN filesystem are more akin to the challenges of traditionalfilesystem design combined with those of high-availability systems.

Traditional filesystems have evolved over many years to optimize theperformance of the underlying disk pool. Data concerning the state ofthe filesystem (metadata) is typically cached in the host system'smemory to speed access to the filesystem. This caching—essential tofilesystem performance—is the reason why systems cannot simply sharedata stored in traditional filesystems. If multiple systems assume theyhave control of the filesystem and cache filesystem metadata, they willquickly corrupt the filesystem by, for instance, allocating the samedisk space to multiple files. On the other hand, implementing afilesystem that does not allow data caching would provide unacceptablyslow access to all nodes in a cluster.

Systems or software for connecting multiple computer systems or nodes ina cluster to access data storage devices connected by a SAN have becomeavailable from several companies. EMC Corporation of Hopkington, Mass.offers HighRoad file system software for their Celerra™ Data Access inReal Time (DART) file server. Veritas Software of Mountain View, Calif.offers SANPoint which provides simultaneous access to storage formultiple servers with failover and clustering logic for load balancingand recovery. Sistina Software of Minneapolis, Minn. has a similarclustered file system called Global File System™ (GFS). Advanced DigitalInformation Corporation of Redmond, Wash. has several SAN products,including Centra Vision for sharing files across a SAN. As a result ofmergers the last few years, Hewlett-Packard Company of Palo Alto, Calif.has more than one cluster operating system offered by their CompaqComputer Corporation subsidiary which use the Cluster File Systemdeveloped by Digital Equipment Corporation in their TruCluster andOpenVMS Cluster products. However, none of these products are known toprovide direct read and write over a Fibre Channel by any node in acluster. What is desired is a method of accessing data within a SANwhich provides true data sharing by allowing all SAN-attached systemsdirect access to the same filesystem. Furthermore, conventionalhierarchal storage management uses an industry standard interface calleddata migration application programming interface (DMAPI). However, ifthere are five machines, each accessing the same file, there will befive separate events and there is nothing tying those DMAPI eventstogether.

SUMMARY OF THE INVENTION

It is an aspect of the present invention to provide relocation of ametadata server with outstanding DMAPI requests in a shared storage areanetwork.

It is yet another aspect of the present invention that DMAPI requestsare transparently reissued to a new metadata server.

At least one of the above aspects can be attained by a method ofexecuting operations on virtual metadata in a process thread, includingreleasing a lock on the virtual metadata if relocation of a requiredmetadata server is underway during execution of the operations on thevirtual metadata. The virtual metadata may be formed as a private datachain, and the method also includes locking a pointer to the privatedata chain prior to linking to a first item of private data in theprivate data chain. Furthermore, after releasing the lock, the threadwaits for availability of a lock on the pointer to the private datachain upon completion of relocation of the metadata server, beforecontinuing with execution of operations on the virtual metadata.

These together with other aspects and advantages which will besubsequently apparent, reside in the details of construction andoperation as more fully hereinafter described and claimed, referencebeing had to the accompanying drawings forming a part hereof, whereinlike numerals refer to like parts throughout.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a layer model of a storage area network.

FIG. 2 is a block diagram of a cluster computing system.

FIG. 3 is a block diagram of filesystem specific and nonspecific layersin a metadata server and a metadata client.

FIGS. 4A-4B are block diagrams of behavior chains.

FIG. 5 is a block diagram showing the request and return of tokens.

FIG. 6 is a block diagram of integration between a data migrationfacility server and a client node.

FIGS. 7 and 8 are flowcharts of operations performed to access dataunder hierarchical storage management.

FIG. 9 is a block diagram of a mirrored data volume.

FIG. 10 is a state machine diagram of cluster membership.

FIG. 11 is a flowchart of a process for recovering from the loss of anode.

FIG. 12 is a flowchart of a common object recovery protocol.

FIG. 13 a flowchart of a kernel object relocation engine.

FIGS. 14A-14H are a sequence of state machine diagrams of serverrelocation.

FIGS. 15A and 15B are flowcharts of executing vnode operations accordingto the invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Following are several terms used herein that are in common use indescribing filesystems or SANs, or are unique to the disclosed system.Several of the terms will be defined more thoroughly below.

bag indefinitely sized container object for tagged data

behavior chain vnode points to head, elements are inode, and vnodeoperations

cfs or CXFS cluster file system (CXFS is from Silicon Graphics, Inc.)

chandle client handle: barrier lock, state information and an objectpointer

CMS cell membership services

CORPSE common object recovery for server endurance

dcvn file system specific components for vnode in client, i.e., inode

DMAPI data migration application programming interface

DNS distributed name service, such as SGI's white pages

dsvn cfs specific components for vnode in server, i.e., inode

heartbeat network message indicating a node's presence on a LAN

HSM hierarchical storage management

inode file system specific information, i.e., metadata

KORE kernel object relocation engine

manifest bag including object handle and pointer for each data structure

quiesce render quiescent, i.e., temporarily inactive or disabled

RPC remote procedure call

token an object having states used to control access to data & metadata

vfs virtual file system representing the file system itself

vnode virtual inode to manipulate files without file system details

XVM volume manager for CXFS

In addition there are three types of input/output operations that can beperformed in a system according to the present invention: buffered I/O,direct I/O and memory mapped I/O. Buffered I/O are read and writeoperations via system calls where the source or result of the I/Ooperation can be system memory on the machine executing the I/O, whiledirect I/O are read and write operations via system calls where the datais transferred directly between the storage device and the applicationprograms memory without being copied through system memory.

Memory mapped I/O are read and write operations performed by page fault.The application program makes a system call to memory map a range of afile. Subsequent read memory accesses to the memory returned by thissystem call cause the memory to be filled with data from the file. Writeaccesses to the memory cause the data to be stored in the file. Memorymapped I/O uses the same system memory as buffered I/O to cache parts ofthe file.

A SAN layer model is illustrated in FIG. 1. SAN technology can beconveniently discussed in terms of three distinct layers. Layer 1 is thelowest layer which includes basic hardware and software componentsnecessary to construct a working SAN. Recently, layer 1 technology hasbecome widely available, and interoperability between vendors isimproving rapidly. Single and dual arbitrated loops have seen theearliest deployment, followed by fabrics of one or more Fibre Channelswitches.

Layer 2 is SAN management and includes tools to facilitate monitoringand management of the various components of a SAN. All the tools used indirect-attach storage environments are already available for SANs.Comprehensive LAN management style tools that tie common managementfunctions together are being developed. SAN management will soon becomeas elegant as LAN management.

The real promise of SANs, however, lies in layer 3, the distributed,shared filesystem. Layer 1 and layer 2 components allow a storageinfrastructure to be built in which all SAN-connected computer systemspotentially have access to all SAN-connected storage, but they don'tprovide the ability to truly share data. Additional software is requiredto mediate and manage shared access, otherwise data would quickly becomecorrupted and inaccessible.

In practice, this means that on most SANs, storage is still partitionedbetween various systems. SAN managers may be able to quickly reassignstorage to another system in the face of a failure and to more flexiblymanage their total available storage, but independent systems cannotsimultaneously access the same data residing in the same filesystems.

Shared, high-speed data access is critical for applications where largedata sets are the norm. In fields as diverse as satellite dataacquisition and processing, CAD/CAM, and seismic data analysis, it iscommon for files to be copied from a central repository over the LAN toa local system for processing and then copied back. This wasteful andinefficient process can be completely avoided when all systems canaccess data directly over a SAN.

Shared access is also crucial for clustered computing. Access controlsand management are more stringent than with network filesystems toensure data integrity. In most existing high-availability clusters,storage and applications are partitioned and another server assumes anyfailed server's storage and workload. While this may prevent denial ofservice in case of a failure, load balancing is difficult and system andstorage bandwidth is often wasted. In high-performance computingclusters, where workload is split between multiple systems, typicallyonly one system has direct data access. The other cluster members arehampered by slower data access using network file systems such as NFS.

In a preferred embodiment, the SAN includes hierarchical storagemanagement (HSM) such as data migration facility (DMF) by SiliconGraphics, Inc. (SGI) of Mountain View, Calif. The primary purpose of HSMis to preserve the economic value of storage media and stored data. Thehigh input/output bandwidth of conventional machine environments issufficient to overrun online disk resources. HSM transparently solvesstorage management issues, such as managing private tape libraries,making archive decisions, and journaling the storage so that data can beretrieved at a later date.

Preferably, a volume manager, such as XVM from SGI supports the clusterenvironment by providing an image of storage devices across all nodes ina cluster and allowing for administration of the devices from any cellin the cluster. Disks within a cluster can be assigned dynamically tothe entire cluster or to individual nodes within the cluster. In oneembodiment, disk volumes are constructed using XVM to provide diskstriping, mirroring, concatenation and advanced recovery features.Low-level mechanisms for sharing disk volumes between systems areprovided, making defined disk volumes visible across multiple systems.XVM is used to combine a large number of disks across multiple FibreChannels into high transaction rate, high bandwidth, and highly reliableconfigurations. Due to its scalability, XVM provides an excellentcomplement to CXFS and SANs. XVM is designed to handle mass storagegrowth and can configure millions of terabytes (exabytes) of storage inone or more filesystems across thousands of disks.

An example of a cluster computing system formed of heterogeneouscomputer systems or nodes is illustrated in FIG. 2. In the exampleillustrated in FIG. 2, nodes 22 run the IRIX operating system from SGIwhile nodes 24 run the Solaris operating system from Sun and node 26runs the Windows NT operating system from Microsoft Corporation ofRedmond Wash. Each of these nodes is a conventional computer systemincluding at least one, and in many cases several processors, local orprimary memory, some of which is used as a disk cache, input/output(I/O) interfaces, I/O devices, such as one or more displays or printers.According to the present invention, the cluster includes a storage areanetwork in which mass or secondary storage, such as disk drives 28 areconnected to the nodes 22, 24, 26 via Fibre Channel switch 30 and FibreChannel connections 32. The nodes 22, 24, 26 are also connected via alocal area network (LAN) 34, such as an Ethernet, using TCP/IP toprovide messaging and heartbeat signals. In the preferred embodiment, aserial port multiplexer 36 is also connected to the LAN and to a serialport of each node to enable hardware reset of the node. In the exampleillustrated in FIG. 2, only IRIX nodes 22 are connected to serial portmultiplexer 36.

Other kinds of storage devices besides disk drives 28 may be connectedto the Fibre Channel switch 30 via Fibre Channel connections 32. Tapedrives 38 are illustrated in FIG. 2, but other conventional storagedevices may also be connected. Alternatively, tape drives 38 (or otherstorage devices) may be connected to one or more of nodes 22, 24, 26,e.g., via SCSI connections (not shown).

In a conventional SAN, the disks are partitioned for access by only asingle node per partition and data is transferred via the LAN. On theother hand, if node 22 c needs to access data in a partition to whichnode 22 b has access, according to the present invention very little ofthe data stored on disk 28 is transmitted over LAN 34. Instead LAN 34 isused to send metadata describing the data stored on disk 28, tokenmessages controlling access to the data, heartbeat signals and otherinformation related to cluster operation and recovery.

In the preferred embodiment, the cluster filesystem is layer thatdistributes input/output directly between the disks and the nodes viaFibre Channel 30,32 while retaining an underlying layer with anefficient input/output path using asynchronous buffering techniques toavoid unnecessary physical input/outputs by delaying writes as long aspossible. This allows the filesystem to allocate the data spaceefficiently and often contiguously. The data tends to be allocated inlarge contiguous chunks, which yields sustained high bandwidths.

Preferably, the underlying layer uses a directory structure based onB-trees, which allow the cluster filesystem to maintain good responsetimes, even as the number of files in a directory grows to tens orhundreds of thousands of files. The cluster filesystem adds acoordination layer to the underlying filesystem layer. Existingfilesystems defined in the underlying layer can be migrated to a clusterfilesystem according to the present invention without necessitating adump and restore (as long as the storage can be attached to the SAN).For example, in the IRIX nodes 22, XVM is used for volume management andXFS is used for filesystem access and control. Thus, the clusterfilesystem layer is referred to as CXFS.

In the cluster file system of the preferred embodiment, one of thenodes, e.g., IRIX node 22 b, is a metadata server for the other nodes22, 24, 26 in the cluster which are thus metadata clients with respectto the file system(s) for which node 22 b is a metadata server. Othernode(s) may serve as metadata server(s) for other file systems. All ofthe client nodes 22, 24 and 26, including metadata server 22 b, providedirect access to files on the filesystem. This is illustrated in FIG. 3in which “vnode” 42 presents a file system independent set of operationson a file to the rest of the operating system. In metadata client 22 athe vnode 42 services requests using the clustered filesystem routinesassociated with dcvn 44 which include token client operations 46described in more detail below. However, in metadata server 22 b, thefile system requests are serviced by the clustered filesystem routinesassociated with dsvn 48 which include token client operations 46 andtoken server operations 50. The metadata server 22 b also maintains themetadata for the underlying filesystem, in this case XFS 52.

Illustrated in FIG. 4A is a vnode behavior chain for a DMAPI-enabledfilesystem on metadata server 22 b. Operating systems, other than IRIX,that use vnodes may have similar structures referred to as “vnodeprivate data” or something else, but the term behavior will be usedbelow. The corresponding vnode behavior chain for client nodes 22, 24,26, is illustrated in FIG. 4B. According to the present invention vnode42 contains the head 53 of a chain of behaviors 54. Each behavior pointsto a set of vnode operations 58 and at least filesystem specific inodedata structure 56 c. In the case of files which are only being accessedby applications running directly on the metadata server 22 b, onlybehavior 54 c is present and the vnode operations 58 c are serviceddirectly by the underlying filesystem, e.g., XFS. The vnode operations58 are typical file system operations, such as create, lookup, read,write. When the filesystem is being accessed on, e.g., server 22 b, byapplications running on client nodes, then at least behavior 54 b isalso present. In this case the vnode operations 58 b manage thedistribution of the file metadata between nodes in the cluster, and inturn use vnode operations 58 c to perform requested manipulations of thefile metadata. If the filesystem is DMAPI-enabled, behavior 54 aprecedes any CXFS related behaviors, such as behavior 54 b.

Token Infrastructure

The tokens operated on by the token client 46 and token server 50 in anexemplary embodiment are listed below. Each token may have three levels,read, write, or shared write. Token clients 46 a and 46 b (FIG. 3)obtain tokens from the token server 50. Each of the token levels, read,shared write and write, conflicts with the other levels, so a requestfor a token at one level will result in the recall of all tokens atdifferent levels prior to the token being granted to the client whichrequested it. The write level of a token also conflicts with othercopies of the write token, so only one client at a time can have thewrite token. Different tokens are used to protect access to differentparts of the data and metadata associated with a file.

Certain types of write operations may be performed simultaneously bymore than one client, in which case the shared write level is used. Anexample is maintaining the timestamps for a file. To reduce overhead,when reading or writing a file, multiple clients can hold the sharedwrite level and each update the timestamps locally. If a client needs toread the timestamp, it obtains the read level of the token. This causesall the copies of the shared write token to be returned to the metadataserver 22 b along with each client's copy of the file timestamps. Themetadata server selects the most recent timestamp and returns this tothe client requesting the information along with the read token.

Acquiring a token puts a reference count on the token, and prevents itfrom being removed from the token client. If the token is not alreadypresent in the token client, the token server is asked for it. This issometimes also referred to as obtaining or holding a token. Releasing atoken removes a reference count on a token and potentially allows it tobe returned to the token server. Recalling or revoking a token is theact of asking a token client to give a token back to the token server.This is usually triggered by a request for a conflicting level of thetoken.

When a client needs to ask the server to make a modification to a file,it will frequently have a cached copy of a token at a level which willconflict with the level of the token the server will need to modify thefile. In order to minimize network traffic, the client ‘lends’ its readcopy of the token to the server for the duration of the operation, whichprevents the server from having to recall it. The token is given back tothe client at the end of the operation.

Following is a list of tokens in an exemplary embodiment:

DVN_EXIST is the existence token. Represents the fact that a client hasreferences to the vnode. Each client which has a copy of the inode hasthe read level of this token and keeps it until they are done with theinode. The client does not acquire and release this token aroundoperations, it just keeps it in the token client. The server keeps onereference to the vnode (which keeps it in memory) for each client whichhas an existence token. When the token is returned, this reference countis dropped. If someone unlinks the file—which means it no longer has aname, then the server will conditionally recall all the existencetokens. A conditional recall means the client is allowed to refuse tosend the token back. In this case the clients will send back all thetokens and state they have for the vnode if no application is currentlyusing it. Once all the existence tokens are returned, the referencecount on the server's vnode drops to zero, and this results in the filebeing removed from the filesystem.DVN_IOEXCL is the I/O exclusive token. The read token is obtained by anyclient making read or write calls on the vnode. The token is held acrossread and write operations on the file. The state protected by this tokenis what is known as the I/O exclusive state. This state is cached on allthe clients holding the token. If the state is true then the clientknows it is the only client performing read/write operations on thefile. The server keeps track of when only one copy of the token has beengranted to a client, and before it will allow a second copy to be givenout, it sends a message to the first client informing it that the I/Oexclusive state has changed from true to false. When a client has an I/Oexclusive state of true is allowed to cache changes to the file moreaggressively than otherwise.DVN_IO is the IO token which is used to synchronize between read andwrite calls on different computers. CXFS enforces a rule that bufferedreads are atomic with respect to buffered writes, and writes are atomicwith respect to other writes. This means that a buffered read operationhappens before or after a write, never during a write. Buffered readoperations hold the read level of the token, buffered writes hold thewrite level of the token. Direct reads and writes hold the read level ofthe token.DVN_PAGE_DIRTY represents the right to hold modified file data in memoryon a system.DVN_PAGE_CLEAN represents the right to hold unmodified file data inmemory on a computer. Combinations of levels of DVN_PAGE_DIRTY andDVN_PAGE_CLEAN are used to maintain cache coherency across the cluster.DVN_NAME is the name token. A client with this token in the token clientfor a directory is allowed to cache the results of lookup operationswithin the directory. So if we have a name we are looking up in adirectory, and we have done the same lookup before, the token allows usto avoid sending the lookup to the server. An operation such as removingor renaming, or creating a file in a directory will obtain the writelevel of the token on the server and recall the read token—invalidatingany cached names for that directory on those clients.DVN_ATTR protects fields such as the ownership information, the extendedattributes of the file, and other small pieces of information. Held bythe client for read, and by the server for write when the server ismaking modifications. Recall of the read token causes the invalidationof the extended attribute cache.DVN_TIMES protects timestamp fields on the file. Held at the read levelby hosts who are looking at timestamps, held at the shared write levelby hosts doing read and write operations, and held at the write level onthe server when setting timestamps to an explicit value. Recall of theshared write token causes the client to send back its modifiedtimestamps, the server uses the largest of the returned values as thetrue value of the timestamp.DVN_SIZE protects the size of the file, and the number of disk blocks inuse by the file. Held for read by a client who wants to look at thesize, or for write by a client who has a true IO exclusive state. Thisallows the client to update the size of the file during write operationswithout having to immediately send the updated size back to the server.DVN_EXTENT protects the metadata which indicates where the data blocksfor a file are on disk, known as the extent information. When a clientneeds to perform read or write operation it obtains the read level ofthe token and gets of a copy of the extent information with it. Anymodification of the extent information is performed on the server and isprotected by the write level of the token. A client which needs spaceallocated in the file will lend its read token to the server for thisoperation.DVN_DMAPI protects the DMAPI event mask. Held at the read level duringIO operations to prevent a change to the DMAPI state of the file duringthe IO operation. Only held for write by DMAPI on the server.

Data coherency is preferably maintained between the nodes in a clusterwhich are sharing access to a file by using combinations of theDVN_PAGE_DIRTY and DVN_PAGE_CLEAN tokens for the different forms ofinput/output. Buffered and memory mapped read operations hold theDVN_PAGE_CLEAN_READ token, while buffered and memory mapped writeoperations hold the DVN_PAGE_CLEAN_WRITE and VN_PAGE_DIRTY_WRITE tokens.Direct read operations hold the DVN_PAGE_CLEAN_SHARED_WRITE token anddirect write operations hold the DVN_PAGE_CLEAN_SHARED_WRITE andVN_PAGE_DIRTY_SHARED_WRITE tokens. Obtaining these tokens causes othernodes in the cluster which hold conflicting levels of the tokens toreturn their tokens. Before the tokens are returned, these client nodesperform actions on their cache of file contents. On returning theDVN_PAGE_DIRTY_WRITE token a client node must first flush any modifieddata for the file out to disk and then discard it from cache. Onreturning the DVN_PAGE_CLEAN_WRITE token a client node must first flushany modified data out to disk. If both of these tokens are beingreturned then both the flush and discard operations are performed. Onreturning the DVN_PAGE_CLEAN_READ token to the server, a client nodemust first discard any cached data for the file it has in system memory.

An illustration to aid in understanding how tokens are requested andreturned is provided in FIG. 5. A metadata client (dcvn) needs toperform an operation, such as a read operation on a file that has notpreviously been read by that process. Therefore, metadata client 44 asends a request on path 62 to token client 46 a at the same node, e.g.,node 22 a. If another client process at that node has obtained the readtoken for the file, token client 46 a returns the token to object client44 a and access to the file by the potentially competing processes iscontrolled by the operating system of the node. If token client 46 adoes not have the requested read token, object client 44 a is soinformed via path 64 and metadata client 44 a requests the token frommetadata server (dsvn) 48 via path 66. Metadata server 48 requests theread token from token server 50 via path 68. If the read token isavailable, it is returned via paths 68 and 66 to metadata client 44 awhich passes the token on to token client 46 a. If the read token is notavailable, for example if metadata client 44 c has a write token, thewrite token is revoked via paths 70 and 72.

If metadata client 44 a had wanted a write token in the precedingexample, the write token must be returned by metadata client 44 c. Therequest for the write token continues from metadata client 44 c to tokenclient 46 c via path 74 and is returned via paths 76 and 78 to metadataserver 48 which forwards the write token to token server 50 via path 80.Once token server 50 has the write token, it is supplied to metadataclient 44 a via paths 68 and 66 as in the case of the read tokendescribed above.

Appropriate control of the tokens for each file by metadata server 48 atnode 22 b enables nodes 22, 24, 26 in the cluster to share all of thefiles on disk 28 using direct access via Fibre Channel 30, 32. Tomaximize the speed with which the data is accessed, data on the disk 28are cached at the nodes as much as possible. Therefore, before returninga write token, the metadata client 44 flushes the write cache to disk.Similarly, if it is necessary to obtain a read token, the read cache ismarked invalid and after the read token is obtained, contents of thefile are read into the cache.

Mounting of a filesystem as a metadata server is arbitrated by adistributed name service (DNS), such as “white pages” from SGI. A DNSserver runs on one of the nodes, e.g., node 22 c, and each of the othernodes has DNS clients. Subsystems such as the filesystem, when firstattempting to mount a filesystem as the metadata server, first attemptto register a filesystem identifier with the distributed name service.If the identifier does not exist, the registration succeeds and the nodemounts the filesystem as the server. If the identifier is alreadyregistered, the registration fails and the contents of the existingentry for the filesystem identifier are returned, including the nodenumber of the metadata server for the filesystem.

Hierarchical Storage Management

In addition to caching data that is being used by a node, in thepreferred embodiment hierarchical storage management (HSM), such as thedata migration facility (DMF) from SGI, is used to move data to and fromtertiary storage, particularly data that is infrequently used. Asillustrated in FIG. 6, process(es) that implement HSM 88 preferablyexecute on the same node 22 b as metadata server 48 for the filesystem(s) under hierarchical storage management. Also residing on node22 b are the objects that form DMAPI 90 which interfaces between HSM 88and metadata server 48.

Flowcharts of the operations performed when client node 22 a requestsaccess to data under hierarchical storage management are provided inFIGS. 7 and 8. When user application 92 (FIG. 6) issues I/O requests 94(FIG. 7) the DMAPI token must be acquired 96. This operation isillustrated in FIG. 8 where a request for the DMAPI token is issued 98to metadata client 46 a. As discussed above with respect to FIG. 5,metadata client 46 a determines 100 whether the DMAPI token is held atclient node 22 a. If not, a lookup operation on the metadata server 22 band the token request is sent. When metadata server 22 b receives 206the token request, it is determined 108 whether the token is available.If not, the conflicting tokens are revoked 110 and metadata server 22 bpauses or goes into a loop until the token can be granted 112. Filesunder hierarchical storage management have a DMAPI event mask (discussedfurther below) which is then retrieved 114 and forwarded 116 with theDMAPI token. Metadata client 22 a receives 118 the token and the DMAPIevent mask and updates 120 the local DMAPI event mask. The DMAPI tokenis then held 222 by token client 46 a.

As illustrated in FIG. 7, next the DMAPI event mask is checked todetermined 124 whether a DMAPI event is set, i.e., to determine whetherthe file to be accessed is under hierarchical storage management. If so,another lookup 126 of the metadata server is performed as in step 102 sothat a message can be sent 128 to the metadata server informing themetadata server 22 b of the operation to be performed. When server node22 b receives 130 the message, metadata server 48 sends 132 notificationof the DMAPI event to DMAPI 90 (FIG. 6). The DMAPI event is queued 136and subsequently processed 138 by DMAPI 90 and HSM 88.

The possible DMAPI events are read, write and truncate. When a readevent is queued, the DMAPI server informs the HSM software to ensurethat data is available on disks. If necessary, the file requested to beread is transferred from tape to disk. If a write event is set, the HSMsoftware is informed that the tape copy will need to be replaced orupdated with the contents written to disk. Similarly, if a truncateevent is set, the appropriate change in file size is performed, e.g., bywriting the file to disk, adjusting the file size and copying to tape.

Upon completion of the DMAPI event, a reply is forwarded 140 by metadataserver 50 to client node 22 a which receives 142 the reply and userapplication 92 performs 146 input/output operations. Upon completion ofthose operations, the DMAPI token is released 148.

Maintaining System Availability

In addition to high-speed disk access obtained by caching data andshared access to disk drives via a SAN, it is desirable to have highavailability of the cluster. This is not easily accomplished with somuch data being cached and multiple nodes sharing access to the samedata. Several mechanisms are used to increase the availability of thecluster as a whole in the event of failure of one or more of thecomponents or even an entire node, including a metadata server node.

One aspect of the present invention that increases the availability ofdata is the mirroring of data volumes in mass storage 28. As in the caseof conventional mirroring, during normal operation the same data iswritten to multiple devices. Mirroring may be used in conjunction withstriping in which different portions of a data volume are written todifferent disks to increase speed of access. Disk concatenation can beused to increase the size of a logical volume. Preferably, the volumemanager allows any combination of striping, concatenation and mirroring.FIG. 9 provides an example of a volume 160 that has a mirror 162 with aleg 164 that is a concatenation of data on two physical disks 166, 168and an interior mirror 170 of two legs 172, 174 that are each stripedacross three disks 176, 178, 180 and 182, 184, 186.

The volume manager may have several servers which operate independently,but are preferably chosen using the same logic. A node is selected fromthe nodes that have been in the cluster membership the longest and arecapable of hosting the server. From that pool of nodes the lowestnumbered node is chosen. The volume manager servers are chosen atcluster initialization time or when a server failure occurs. In anexemplary embodiment, there are four volume manager servers, termedboot, config, mirror and pal.

The volume manager exchanges configuration information at clusterinitialization time. The boot server receives configuration informationfrom all client nodes. Some of the client nodes could have differentconnectivity to disks and thus, could have different configurations. Theboot server merges the configurations and distributes changes to eachclient node using a volume manager multicast facility. This facilitypreferably ensures that updates are made on all nodes in the cluster ornone of the nodes using two-phase commit logic. After clusterinitialization it is the config server that coordinates changes. Themirror server maintains the mirror specific state information aboutwhether a revive is needed and which mirror legs are consistent.

In a cluster system according to the present invention, all data volumesand their mirrors in mass storage 28 are accessible from any node in thecluster. Each mirror has a node assigned to be its mirror master. Themirror master may be chosen using the same logic as the mirror serverwith the additional constraint that it must have a physical connectionto the disks. During normal operation, queues may be maintained forinput/output operations for all of the client nodes by the mirror masterto make the legs of the mirror consistent across the cluster. In theevent of data loss on one of the disk drives forming mass storage 28, amirror revive process is initiated by the mirror master, e.g., node 22 c(FIG. 2), which detects the failure and is able to execute the mirrorrevive process.

If a client node, e.g., node 22 a, terminates abnormally, the mirrormaster node 22 c will search the mirror input/output queues foroutstanding input/output operations from the failed node and remove theoutstanding input/output operations from the queues. If a writeoperation from a failed process to a mirrored volume is in a mirrorinput/output queue, a mirror revive process is initiated to ensure thatmirror consistency is maintained. If the mirror master fails, a newmirror master is selected and the mirror revive process starts at thebeginning of the mirror of a damaged data volume and continues to theend of the mirror.

When a mirror revive is in progress, the mirror master coordinatesinput/output to the mirror. The mirror revive process uses an overlapqueue to hold I/O requests from client nodes made during the mirrorrevive process. Prior to beginning to read from an intact leg of themirror, the mirror revive process ensures that all other input/outputactivity to the range of addresses is complete. Any input/outputrequests made to the address range being revived are refused by themirror master until all the data in that range of addresses has beenwritten by the mirror revive process.

If there is an I/O request for data in an area that is currently beingcopied in reconstructing the mirror, the data access is retried after apredetermined time interval without informing the application processwhich requested the data access. When the mirror master node 22 creceives a message that an application wants to do input/output to anarea of the mirror that is being revived, the mirror master node 22 cwill reply that the access can either, proceed or that the I/O requestoverlaps an area being revived. In the latter case, the client node willenter a loop in which the access is retried periodically until it issuccessful, without the application process being aware that this isoccurring.

Input/output access to the mirror continues during the mirror reviveprocess with the volume manager process keeping track of the firstunsynchronized block of data to avoid unnecessary communication betweenclient and server. The client node receives the revive status and cancheck to see if it has an I/O request preceding the area beingsynchronized. If the I/O request precedes that area, the I/O requestwill be processed as if there was no mirror revive in progress.

Data read from unreconstructed portions of the mirror by applicationsare preferably written to the copy being reconstructed, to avoid anadditional read at a later period in time. The mirror revive processkeeps track of what blocks have been written in this manner. New datawritten by applications in the portion of the mirror that already havebeen copied by the mirror revive process are mirrored using conventionalmirroring. If an interior mirror is present, it is placed in writebackmode. When the outer revive causes reads to the interior mirror, it willautomatically write to all legs of the interior mirror, thussynchronizing the interior mirror at the same time.

Recovery and Relocation

In the preferred embodiment, a common object recovery protocol (CORPSE)is used for server endurance. As illustrated in FIG. 10, if a nodeexecuting a metadata server fails, the remaining nodes will become awareof the failure from loss of heartbeat, error in messaging or by deliveryof a new cluster membership excluding the failed node. The first step inrecovery or initiation of a cluster is to determine the membership androles of the nodes in the cluster. If the heartbeat signal is lost froma node or a new node is detected in the cluster, a new membership mustbe determined. To enable a computer system to access a clusterfilesystem, it must first be defined as a member of the cluster, i.e., anode, in that filesystem.

As illustrated in FIG. 10, when a node begins 202 operation, it enters anascent state 204 in which it detects the heartbeat signals from othernodes and begins transmitting its own heartbeat signal. When enoughheartbeat signals are detected to indicate that there are sufficientoperating nodes to form a viable cluster, requests are sent forinformation regarding whether there is an existing membership for thecluster. If there is an existing leader for the cluster, the request(s)will be sent to the node in the leader state 206. If there is noexisting leader, conventional techniques are used to elect a leader andthat node transitions to the leader state 206. For example, a leader maybe selected that has been a member of the cluster for the longest periodof time and is capable of being a metadata server.

The node in the leader state 206 sends out messages to all of the othernodes that it has identified and requests information from each of thosenodes about the nodes to which they are connected. Upon receipt of thesemessages, nodes in the nascent state 204 and stable state 208 transitionto the follower state 210. The information received in response to theserequests is accumulated by the node in the leader state 206 to identifythe largest set of fully connected nodes for a proposed membership.Identifying information for the nodes in the proposed membership is thentransmitted to all of the nodes in the proposed membership. Once allnodes accept the membership proposed by the node in the leader state206, all of the nodes in the membership transition to the stable state208 and recovery is initiated 212 if the change in membership was due toa node failure. If the node in the leader state 206 is unable to findsufficient operating nodes to form a cluster, i.e., a quorum, all of thenodes transition to a dead state 214.

If a node is deactivated in an orderly fashion, the node sends awithdrawal request to the other nodes in the cluster, causing one of thenodes to transition to the leader state 206. As in the case describedabove, the node in the leader state 206 sends a message with a proposedmembership causing the other nodes to transition to the follower state210. If a new membership is established, the node in the leader state206 sends an acknowledgement to the node that requested withdrawal frommembership and that node transitions to a shutdown state 216, while theremaining nodes transition to the stable state 208.

In the stable state 208, message channels are established between thenodes 22, 24, 26 over LAN 34. A message transport layer in the operatingsystem handles the transmission and receipt of messages over the messagechannels. One set of message channels is used for general messages, suchas token requests and metadata. Another set of channels is used just formembership. If it is necessary to initiate recovery 212, the stepsillustrated in FIG. 11 are performed. Upon detection of a node failure222, by loss of heartbeat or messaging failure, the message transportlayer in the node detecting the failure freezes 224 the general messagechannels between that node and the failed node and disconnects themembership channels. The message transport layer then notifies 226 thecell membership services (CMS) daemon.

Upon notification of a node failure, the CMS daemon blocks 228 new nodesfrom joining the membership and initiates 230 the membership protocolrepresented by the state machine diagram in FIG. 10. A leader isselected and the process of membership delivery 232 is performed asdiscussed above with respect to FIG. 10.

In the preferred embodiment, CMS includes support for nodes to operateunder different versions of the operating system, so that it is notnecessary to upgrade all of the nodes at once. Instead, a rollingupgrade is used in which a node is withdrawn from the cluster, the newsoftware is installed and the node is added back to the cluster. Thetime period between upgrades may be fairly long, if the peopleresponsible for operating the cluster want to gain some experience usingthe new software.

Version tags and levels are preferably registered by the varioussubsystems to indicate version levels for various functions within thesubsystem. These tags and levels are transmitted from follower nodes tothe CMS leader node during the membership protocol 230 when joining thecluster. The information is aggregated by the CMS leader node andmembership delivery 232 includes the version tags and levels for any newnode in the cluster. As a result all nodes in the know the versionlevels of functions on other nodes before any contact between them ispossible so they can properly format messages or execute distributedalgorithms.

Upon initiation 212 of recovery, the following steps are performed. Thefirst step in recovery involves the credential service subsystem. Thecredential subsystem caches information about other nodes, so that eachservice request doesn't have to contain a whole set of credentials. Asthe first step of recovery, the CMS daemon notifies 234 the credentialsubsystem in each of the nodes to flush 236 the credentials from thefailed node.

When the CMS daemon receives acknowledgment that the credentials havebeen flushed, common object recovery is initiated 238. Details of thecommon object recovery protocol for server endurance (CORPSE) will bedescribed below with respect to FIG. 12. An overview of the CORPSEprocess is illustrated in FIG. 11, beginning with the interrupting 240of messages from the failed node and waiting for processing of thesemessages to complete. Messages whose service includes a potentiallyunbounded wait time are returned with an error.

After all of the messages from the failed node have been processed,CORPSE recovers the system in three passes starting with the lowestlayer (cluster infrastructure) and ending with the file system. In thefirst pass, recovery of the kernel object relocation engine (KORE) isexecuted 242 for any in-progress object relocation involving a failednode. In the second pass, the distributed name server (white pages) andthe volume manager, such as XVM, are recovered 244 making these servicesavailable for filesystem recovery. In the third pass the filesystem isrecovered 246 to return all files to a stable state based on informationavailable from the remaining nodes. Upon completion of the third pass,the message channels are closed 248 and new nodes are allowed 250 tojoin.

As illustrated in FIG. 12, the first step in CORPSE is to elect 262 aleader for the purposes of recovery. The CORPSE leader is elected usingthe same algorithm as described above with respect to the membershipleader 206. In the event of another failure before recovery iscompleted, a new leader is elected 262. The node selected as the CORPSEleader initializes 264 the CORPSE process to request the metadata clientprocesses on all of the nodes to begin celldown callouts as describedbelow. The purpose of initialization is to handle situations in whichanother node failure is discovered before a pass is completed. First,the metadata server(s) and clients initiate 266 message interrupts andholds all create locks.

The next step to be performed includes detargeting a chandle. A chandleor client handle is a combination of a barrier lock, some stateinformation and an object pointer that is partially subsystem specific.A chandle includes a node identifier for where the metadata server canbe found and a field that the subsystem defines which tells the chandlehow to locate the metadata server on that node, e.g., using a hashaddress or an actual memory address on the node. Also stored in thechandle is a service identifier indicating whether the chandle is partof the filesystem, vnode file, or distributed name service and amulti-reader barrier lock that protects all of this. When a node wantsto send a message to a metadata server, it acquires a hold on themulti-reader barrier lock and once that takes hold the serviceinformation is decoded to determine where to send the message and themessage is created with the pointer to the object to be executed oncethe message reaches the metadata server.

With messages interrupted and create locks held, celldown callouts areperformed 268 to load object information into a manifest object anddetarget the chandles associated with the objects put into the manifest.By detargeting a chandle, any new access on the associated object isprevented. The create locks are previously held 266 on the objectsneeded for recovery to ensure that the objects are not instantiated forcontinued processing on a client node in response to a remote processingcall (RPC) previously initiated on a failed metadata server. An RPC is athread initiated on a node in response to a message from another node toact as a proxy for the requesting node. In the preferred embodiment,RPCs are used to acquire (or recall) tokens for the requesting node.During celldown callouts 268 the metadata server recovers from any lostclients, returning any tokens the client(s) held and purging any stateheld on behalf of the client.

The CORPSE subsystems executing on the metadata clients go through allof the objects involved in recovery and determine whether the server forthat client object is in the membership for the cluster. One way ofmaking this determination is to examine the service value in the chandlefor that client object, where the service value contains a subsystemidentifier and a server node identifier. Object handles which identifythe subsystems and subsystem specific recovery data necessary to carryout further callouts are placed in the manifest. Server nodes recoverfrom client failure during celldown callouts by returning failed clienttokens and purging any state associated with the client.

When celldown callouts have been performed 268 for all of the objectsassociated with a failed node, the operations frozen 266 previously arethawed or released 270. The message channel is thawed 270, so that anythreads that are waiting for responses can receive error messages that acell is down, i.e., a node has failed, so that that the threads can doany necessary cleanup and then drop the chandle hold. This allows all ofthe detargets to be completed. In addition, the create locks arereleased 270. The final result of the operations performed in step 270is that all client objects associated with the filesystem are quiesced,so that no further RPCs will be sent or are awaiting receipt.

After the celldown callouts 268 have processed the information about thefailed node(s), vote callouts are performed 272 in each of the remainingnodes to elect a new server. The votes are sent to the CORPSE leaderwhich executes 274 election callouts to identify the node(s) that willhost the new servers. The election algorithm used is subsystem specific.The filesystem selects the next surviving node listed as a possibleserver for the filesystem, while the DNS selects the oldest servercapable node.

When all of the nodes are notified of the results of the election,gather callouts are performed 276 on the client nodes to createmanifests for each server on the failed node(s). Each manifest containsinformation about one of the servers and is sent to the node elected tohost that server after recovery. A table of contents of the informationin the bag is included in each manifest, so that reconstruct calloutscan be performed 278 on each object and each manifest from each of thenodes.

The reconstruct callouts 278 are executed on the new elected server toextract information from the manifests received from all the nodes whilethe chandles are detargeted, so that none of the nodes attempt to accessthe elected server. When the reconstruct callouts 278 are completed, amessage is sent to the CORPSE leader that it is ready to commit 280 toinstantiate the objects of the server. The instantiate callouts are thenperformed 282 and upon instantiation of all of the objects, a commitment284 is sent to the CORPSE leader for retargeting the chandles to theelected server. The instantiate commit 280 and retarget commit 284 areperformed by the CORPSE leader, to save information regarding the extentof recovery, in case there is another node failure prior to completionof a pass. If a failure occurs prior to instantiate commit 280, the passis aborted and recovery is restarted with freezing 224 of messagechannels. However, once the CORPSE leader notifies any node to goforward with instantiating 282 new server(s), recovery of any new nodefailure is delayed until the current pass completes, then recovery rollsback to freezing 224 message channels. If the failed node contains theelected server, the client nodes are targeted to the now-failed serverand the process of recovering the server begins again.

In the case of the second pass, WP/XVM 244, a single chandle accessesthe DNS server and the manifest created at each client node contains allof the file identifiers in use at that node prior to entering recovery.During the reconstruct callouts 278 of the second pass, the DNS servergoes through all of the entries in the manifest and creates a uniqueentry for each filesystem identifier it receives. If duplicate entriesarrive, which is likely since many nodes may have the entry for a singlefilesystem, tokens are allocated for the sending node in the previouslycreated entry.

After all of the retargets are performed 286 in each of the nodes, acomplete callout is performed 288 by the subsystem being recovered to doany work that is required at that point. Examples are deallocatingmemory used during recovery or purging any lingering state associatedwith a failed node, including removing DNS entries still referencing afailed node. These operations may be performed independently on each ofthe nodes. As discussed above with respect to FIG. 11, the stepsillustrated in FIG. 12 are preferably repeated in three passes asdifferent subsystems of the operating system are recovered. Aftercompletion 290 of the last pass, CORPSE is completed.

Kernel Object Relocation Engine

As noted above, the first pass 242 of recovery is to recover from anincomplete relocation of a metadata server. The kernel object relocationengine (KORE) is used for an intentional relocation of the metadataserver, e.g. for an unmount of the server or to completely shutdown anode at which a metadata server is located, to return the metadataserver to a previously failed node, or for load shifting. Provided nonodes fail, during relocation an object manifest can be easily created,since all of the information required for the new, i.e., target,metadata server can be obtained from the existing, i.e., source,metadata server.

As illustrated in FIG. 13, KORE begins with source node prepare phase302, which ensures that filesystem is quiesced before starting therelocation. When all of the objects of the metadata server are quiesced,they are collected into an object manifest and sent 304 to the targetmetadata server. Most of the steps performed by the target metadataserver are performed in both relocation and recovery. The target node isprepared 306 and an object request is sent 308 from the target metadataserver to the source metadata server to obtain a bag containing thestate of the object being relocated.

In response, the source metadata server initiates 310 retargeting andcreation of client structures (objects) for the vnodes and the vfs, thenall clients are informed 312 to detarget 314 that node as the metadataserver. When the source metadata server has been informed that all ofthe clients have completed detargeting 314, a source bag is generated316 with all of the tokens and the state of server objects which aresent 318 to the target metadata server. The target metadata serverunbags 320 the objects and initiates execution of the metadata server.The target metadata server informs the source metadata server to inform322 the clients to retarget 324 the target metadata server. In addition,the target metadata server sends a message to all nodes in the clusterto update the DNS entries for the filesystem to reference the node ofthe target metadata server. The source metadata server is informed wheneach of the clients completes retargeting 324, so that the source nodecan end 326 operation as the metadata server and processing resumes onthe target metadata server.

Illustrated in FIG. 15A is a flowchart of a thread moving through arelevant part of the kernel during relocation of a server which includesconverting from vnode 42 on a server (FIG. 4A) to vnode 42 on a client(FIG. 4B). The thread enters the kernel to perform I/O operations anduses VOP_READ 404 to obtain the read operation from the first behavioron the vnode behavior chain. As noted above, FIG. 4A is a vnode behaviorchain for a DMAPI-enabled filesystem on metadata server 22 b.

At the start of VOP_READ 404, the behavior head 53 (FIG. 4A) is locked406 to prevent the list of behaviors linked off behavior head 53 fromchanging during I/O operations by locking the vnode or virtual metadata.Next, read operations are called 410 which will include performingdmapi_bnc read 412 by linking to behavior 54 a (FIG. 4A) which includesdmapi_bnc object 56 a and vnode operations 58 a. The dmapi_bnc readoperation 412 is illustrated in FIG. 15B. The vnode operations 58 a, 58b and 58 c in the behavior chain illustrated in FIG. 4A are executed byfirst calling 414 the next read operation, i.e., dsvn inode 56 b andvnode operations 58 b. Normally, the next call would be to behavior 54 cwhich includes XFS inode 56 c and vnode operations 58 c. Each behaviorlayer passes the operation on to the next behavior layer, with eachlayer doing its part of the I/O operation.

When a filesystem is DMAPI-enabled, as illustrated in FIGS. 4A and 4B,it can take a relatively long time to resolve DMAPI requests. Since thebehavior head 53 of vnode 42 is locked 406 during the example readoperation illustrated in FIG. 15A, conversion of vnode 42, andrelocation of the filesystem, could be held off for an unacceptably longtime. During this time, the thread is waiting in the DMAPI queue inQueue DMAPI Event 136 (FIG. 7). Please note that in the descriptionabove, Queue DMAPI Event 136 is reached via Send DMAPI Event 132, butSend DMAPI Event 132 could be entered via routes other than the oneshown in FIG. 7.

As discussed above with respect to FIG. 13, KORE begins with SourcePrepare 302 in which DMAPI learns that filesystem server 22 b is beingrelocated. According to the present invention this information is usedby DMAPI 90 (FIG. 6) to wake up a thread in Queue DMAPI Event 136, byreturning a migrating error and prevent the thread from reaching ProcessDMAPI Event 138. However, since relocation is supposed to be transparentto users, this error is not returned to the user. Instead, to avoiddelaying relocation, the read operations called 412 previously returnsand the process flow illustrated in FIG. 15B continues. If a migratingerror is returned 416, behavior head 53 is unlocked 418 during executionof dmapi_bnc to permit vnode 42 to be converted and the thread enters aloop waiting for conversion and relocation to complete, making the lockavailable 420.

After conversion and relocation are completed and the lock becomesavailable 420, behavior head 53 is locked 422 and processing ofdmapi_bnc continues with calling 414 the next read operation. However,since conversion is completed, the vnode's behavior chain will look likeFIG. 4B. In the scenario described above, the thread is executing vnodeoperations 58 a when the next read operation is called 414 and nowbehavior 58 d (FIG. 4B) will be called 414 rather than behavior 58 b(FIG. 4A) and the thread will move to Queue DMAPI Event 136 in FIG. 7.After all operations are completed, behavior head 53 is unlocked 424with the chain of behaviors for vnode 42 illustrated in FIG. 4Aconverted to the chain of behaviors illustrated in FIG. 4B. A similarprocess is performed on threads in a client node which becomes theserver node to change from the behavior chain illustrated in FIG. 4B tothe behavior chain illustrated in FIG. 4A.

The stages of the relocation process are illustrated in FIGS. 14A-14H.As illustrated in FIG. 14A, during normal operation the metadata clients(MDCs) 44 a and 44 c at nodes 22 a and 22 c send token requests tometadata server (MDS) 48 b on node 22 b. When a relocation request isreceived, metadata server 48 b sends a message to node 22 c to create aprototype metadata server 48 c as illustrated in FIG. 14B. A newmetadata client object is created on node 22 b, as illustrated in FIG.14C, but initially messages to the prototype metadata server 48 c areblocked. Next, all of the metadata clients 44 a are instructed todetarget messages for the old metadata server 48 b, as illustrated inFIG. 14D. Then, as illustrated in FIG. 14E, the new metadata server 48 cis instantiated and is ready to process the messages from the clients,so the old metadata server 48 b instructs all clients to retargetmessages to the new metadata server 48 c, as illustrated in FIG. 14F.Finally, the old metadata server 48 b node 22 b is shut down asillustrated in FIG. 14G and the metadata client 44 c is shut down onnode 22 c as illustrated in FIG. 14H. As indicated in FIG. 3, the tokenclient 46 c continues to provide local access by processing tokens forapplications on node 22 c, as part of the metadata server 48 c.

Interruptible Token Acquisition

Preferably interruptible token acquisition is used to enable recoveryand relocation in several ways: (1) threads processing messages fromfailed nodes that are waiting for the token state to stabilize are sentan interrupt to be terminated to allow recovery to begin; (2) threadsprocessing messages from failed nodes which may have initiated a tokenrecall and are waiting for the tokens to come back are interrupted; (3)threads that are attempting to lend tokens which are waiting for thetoken state to stabilize and are blocking recovery/relocation areinterrupted; and (4) threads that are waiting for the token state tostabilize in a filesystem that has been forced offline due to error areinterrupted early. Threads waiting for the token state to stabilizefirst call a function to determine if they are allowed to wait, i.e.none of the factors above apply, then go to sleep until some otherthread signals a change in token state.

To interrupt, CORPSE and KORE each wake all sleeping threads. Thesethreads loop, check if the token state has changed and if not attempt togo back to sleep. This time, one of the factors above may apply and ifso a thread discovering it returns immediately with an “early” status.This tells the upper level token code to stop trying to acquire, lend,etc. and to return immediately with whatever partial results areavailable. This requires processes calling token functions to beprepared for partial results. In the token acquisition case, the callingprocess must be prepared to not get the token(s) requested and to beunable to perform the intended operation. In the token recall case, thismeans the thread will have to leave the token server data structure in apartially recalled state. This transitory state is exited when the lastof the recalls comes in, and the thread returning the last recalledtoken clears the state. In lending cases, the thread will return early,potentially without all tokens desired for lending.

The many features and advantages of the invention are apparent from thedetailed specification and, thus, it is intended by the appended claimsto cover all such features and advantages of the invention that fallwithin the true spirit and scope of the invention. Further, sincenumerous modifications and changes will readily occur to those skilledin the art, it is not desired to limit the invention to the exactconstruction and operation illustrated and described, and accordinglyall suitable modifications and equivalents may be resorted to, fallingwithin the scope of the invention.

1. A method of executing operations on virtual metadata, comprising:initiating an operation on the virtual metadata; locking the virtualmetadata during execution of the operation; beginning execution of theoperation on the virtual metadata; determining whether a source metadataserver maintaining the virtual metadata is to be relocated duringexecution of the operation, wherein relocation of the source metadataserver involves sending the virtual metadata from the source metadataserver to a target metadata server; determining whether the virtualmetadata is under hierarchical storage management; releasing a lock onthe virtual metadata in response to relocation of the source metadataserver during execution of the operation on the virtual metadata and thevirtual metadata being under hierarchical storage management.
 2. Amethod as recited in claim 1, wherein the virtual metadata is formed asa private data chain, and said method further comprises locking apointer to the private data chain prior to linking to a first item ofprivate data in the private data chain.
 3. A method as recited in claim2, further comprising waiting, after said releasing, for availability ofa lock on the pointer to the private data chain upon completion ofrelocation of the source metadata server, before continuing withexecution of operations on the virtual metadata.
 4. A method as recitedin claim 3, wherein said releasing, waiting and continuing execution ofoperations on the virtual metadata after relocation of the sourcemetadata server are performed transparently to users.
 5. A method ofrelocating a metadata server in a network of computer system nodes inwhich DMAPI has been implemented, comprising: retargeting objects on thecomputer system nodes accessing a current metadata server to a newmetadata server; locking virtual metadata maintained by the currentmetadata server during execution thereof by one of the computer systemnodes, the virtual metadata being DMAPI enabled; beginning execution ofthe operation on the virtual metadata; initiating relocation of thecurrent metadata server to the new metadata server during execution ofthe virtual metadata, wherein relocation involves sending the virtualmetadata from the current metadata server to the new metadata server;releasing a lock on the virtual metadata in response to initiatingrelocation of the metadata server during execution of the virtualmetadata; sending the virtual metadata from the current metadata serverto the new metadata server.
 6. A method as recited in claim 5, whereinthe virtual metadata is formed as a private data chain, and said methodfurther comprises locking a pointer to the private data chain prior tolinking to a first item of private data in the private data chain.
 7. Amethod as recited in claim 6, further comprising waiting, after saidreleasing, for availability of a lock on the pointer upon completion ofrelocation of the metadata server, before continuing with execution ofoperations on the virtual metadata.
 8. A method as recited in claim 7,wherein said releasing, waiting and continuing execution of operationson the virtual metadata after relocation of the metadata server areperformed transparently to users.
 9. A cluster of computer systems,comprising: storage devices storing at least one file; a storage areanetwork coupled to said storage devices; at least one metadata servernode, coupled to said storage area network; and at least one metadataclient node, coupled to said storage area network, the at least onemetadata client node operable to: initiate an operation on the virtualmetadata; lock the virtual metadata during execution of the operation;begin execution of the operation on the virtual metadata; determinewhether a source metadata server maintaining the virtual metadata is tobe relocated during execution of the operation, wherein relocation ofthe source metadata server involves sending the virtual metadata fromthe source metadata server to a target metadata server; determinewhether the virtual metadata is under hierarchical storage management;release a lock on the virtual metadata in response to relocation of saidsource metadata server during execution of the operation on the virtualmetadata and the virtual metadata being under hierarchical storagemanagement.
 10. At least one computer readable medium storing at leastone computer program operating a cluster of computer system nodes,computer program upon execution operable to: initiate an operation onthe virtual metadata; lock the virtual metadata during execution of theoperation; begin execution of the operation on the virtual metadata;determine whether a source metadata server maintaining the virtualmetadata is to be relocated during execution of the operation, whereinrelocation of the source metadata server involves sending the virtualmetadata from the source metadata server to a target metadata server;determine whether the virtual metadata is under hierarchical storagemanagement; release a lock on the virtual metadata in response torelocation of the source metadata server during execution of theoperation on the virtual metadata and the virtual metadata being underhierarchical storage management.
 11. At least one computer readablemedium as recited in claim 10, wherein the virtual metadata is formed asa private data chain, and said method further comprises locking apointer to the private data chain prior to linking to a first item ofprivate data in the private data chain.
 12. At least one computerreadable medium as recited in claim 11, wherein said computer program isfurther operable to wait, after said releasing, for availability of alock on the pointer to the private data chain upon completion ofrelocation of the source metadata server, before continuing withexecution of operations on the virtual metadata.